Using CMS-based SSL Support for z/vm 6.1

Similar documents
z/vm SSL Server Update

z/vm 6.3 Installation or Migration or Upgrade Hands-on Lab Sessions

ZVM20: z/vm PAV and HyperPAV Support

z/vm 6.3 A Quick Introduction

z/os Data Set Encryption In the context of pervasive encryption IBM z systems IBM Corporation

z/vm Live Guest Relocation - Planning and Use

The Basics of Using z/vm

IBM Multi-Factor Authentication in a Linux on IBM Z environment - Example with z/os MFA infrastructure

z/osmf 2.1 User experience Session: 15122

z/vm Data Collection for zpcr and zcp3000 Collecting the Right Input Data for a zcp3000 Capacity Planning Model

Run vsphere in a box on your laptop, to learn, demonstrate, and test vcenter, ESX4/ESXi4, VMotion, HA, and DRS.

Mobile access to the existing z/vse application

zmanager: Platform Performance Manager Hiren Shah IBM March 14,

z/vm Live Guest Relocation Planning and Use

IBM Application Runtime Expert for i

V6R1 System i Navigator: What s New

CSI TCP/IP for VSE Update

z/vse 5.2 Tapeless Initial Installation

IBM Client Center z/vm 6.2 Single System Image (SSI) & Life Guest Relocation (LGR) DEMO

Greg Boyd

IBM z Systems z/vse VM Workshop z/vse Wellness. How to keep your z/vse in good shape. Ingo Franzki, IBM IBM Corporation

z/vm Single System Image and Guest Mobility Preview

Getting Started with z/osmf Resource Monitoring

Active Energy Manager. Image Management. TPMfOSD BOFM. Automation Status Virtualization Discovery

VIOS NextGen: Server & Storage Integration

Encryption Update on z/vse

Behind the Glitz - Is Life Better on Another Database Platform?

Release Notes. IBM Security Identity Manager GroupWise Adapter. Version First Edition (September 13, 2013)

IBM z/os Early Support Program (ESP)

z/vm Evaluation Edition

Greg Daynes z/os Software Deployment

Setting up DB2 data sharing the easy way

Release Notes. IBM Tivoli Identity Manager GroupWise Adapter. Version First Edition (September 13, 2013)

Release Notes. IBM Tivoli Identity Manager Universal Provisioning Adapter. Version First Edition (June 14, 2010)

ZVM17: z/vm Device Support Overview

Overview of cryptography and enhancements on z/vse 4.3

Lab Exercise: z/osmf Incident Log Session ID: Part of 15814, 15815, and 15604

IBM Lifecycle Extension for z/os V1.8 FAQ

IBM Tivoli Directory Server for z/os. Saheem Granados, CISSP IBM Monday, August 6,

Advanced Technical Skills (ATS) North America. John Burg Brad Snyder Materials created by John Fitch and Jim Shaw IBM Washington Systems Center

IBM Mainframe Life Cycle History

Release Notes. IBM Tivoli Identity Manager Rational ClearQuest Adapter for TDI 7.0. Version First Edition (January 15, 2011)

z/osmf 2.1 Advanced Programming

Managing LDAP Workloads via Tivoli Directory Services and z/os WLM IBM. Kathy Walsh IBM. Version Date: July 18, 2012

A Pragmatic Path to Compliance. Jaffa Law

Running Docker applications on Linux on the Mainframe

IBM Systems Director Active Energy Manager 4.3

CMS Administration Boot Camp by Dave Jones "THINK... Penguins!" 2014 VM Workshop June 26-28, 2014

Hardware Cryptography and z/tpf

Server for IBM i. Dawn May Presentation created by Tim Rowe, 2008 IBM Corporation

z/vm Security and Integrity

Computing as a Service

Managing your Red Hat Enterprise Linux Guests With RHN Satellite Session ID: 9204

Java on z13 A Performance Update

zpcr Capacity Sizing Lab

Mary Komor Development Tools Subcommittee

TPF Users Group - Fall 2009 TPF Toolkit Updates

IBM. Avoiding Inventory Synchronization Issues With UBA Technical Note

HiperSockets for System z Newest Functions

Red Hat Update for IBM System z

Setting up IBM zaware Step by Step

IBM i Upgrade V6R1 Planning

Planning and Migrating to z/vm Single System Image (SSI)

SHARE in Pittsburgh Session 15801

CPU MF Counters Enablement Webinar

z/vse Latest News Ingolf Salm -

IBM i Version 7.2. Systems management Logical partitions IBM

Open Source on IBM I Announce Materials

What's New in BCPii in z/os 2.1? Full REXX Support and Faster Data Retrieval Steve Warren

The Art of the Possible Linux Workload Consolidation on System z Increasing Operational Efficiencies and Driving Cost Savings

z/vm Single System Image and Live Guest Relocation Overview

WebSphere Application Server 6.1 Base Performance September WebSphere Application Server 6.1 Base Performance

Best Practices for WebSphere Application Server on System z Linux

Release Notes. IBM Tivoli Identity Manager I5/OS Adapter. Version First Edition (January 9, 2012)

Infor Lawson on IBM i 7.1 and IBM POWER7+

Planning and Migrating to z/vm Single System Image (SSI)

Introduction to. z/vm and Linux on System z. Malcolm Beattie Linux Technical Consultant, IBM UK. From a presentation by Ralf Schiefelbein, IBM Germany

SMP/E V3.5 Advanced Function Hands-on Lab Session: 8684 Greg Daynes March 2011

DFSMS Basics: Just How Does DFSMS System Managed Storage (SMS) Select Volumes?

Tivoli Access Manager for Enterprise Single Sign-On

IBM Cloud Orchestrator. Content Pack for IBM Endpoint Manager for Software Distribution IBM

Dynamic Routing: Exploiting HiperSockets and Real Network Devices

WebSphere Application Server Base Performance

IBM zenterprise Unified Resource Manager Overview

Lawson M3 7.1 Large User Scaling on System i

IBM System Storage DS8870 Release R7.3 Performance Update

64 bit virtual in z/vse V5.1

Enterprise Workload Manager Overview and Implementation

z/vm Paging with SSD and Flash- Type Disk Devices

z/vm Large Memory Linux on System z

IBM Tivoli Identity Manager Authentication Manager (ACE) Adapter for Solaris

z/vse Connectors Update

An Integrated Cryptographic Service Facility (ICSF HCR77A0) for z/os Update for zec12 Share San Francisco, CA February, 2013

Effective PMR Submission Best Practice. IBM Learn Customer Support

Virtual Security Zones on z/vm

9387: Setting up DB2 data sharing the easy way

TPF Debugger / Toolkit update PUT 12 contributions!

z/vse VSAM Enhancements

z/vm Resource Manager

IBM Endpoint Manager Version 9.1. Patch Management for Ubuntu User's Guide

Transcription:

Brian W. Hugenbruch, CISSP z/vm Development Team, IBM: Endicott, NY, USA Using CMS-based SSL Support for z/vm 6.1

Trademarks The following are trademarks of the International Business Machines Corporation in the United States, other countries, or both. Not all common law marks used by IBM are listed on this page. Failure of a mark to appear does not mean that IBM does not use the mark nor does it mean that the product is not actively marketed or is not significant within its relevant market. Those trademarks followed by are registered trademarks of IBM in the United States; all others are trademarks or common law marks of IBM in the United States. For a complete list of IBM Trademarks, see www.ibm.com/legal/copytrade.shtml: *, AS/400, e business(logo), DBE, ESCO, eserver, FICON, IBM, IBM (logo), iseries, MVS, OS/390, pseries, RS/6000, S/30, VM/ESA, VSE/ESA, WebSphere, xseries, z/os, zseries, z/vm, System i, System i5, System p, System p5, System x, System z, System z9, BladeCenter The following are trademarks or registered trademarks of other companies. Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries. Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used under license therefrom. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. UNIX is a registered trademark of The Open Group in the United States and other countries. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office. IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency, which is now part of the Office of Government Commerce. * All other products may be trademarks or registered trademarks of their respective companies. Notes: Performance is in Internal Throughput Rate (ITR) ratio based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput that any user will experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve throughput improvements equivalent to the performance ratios stated here. IBM hardware products are manufactured from new parts, or new and serviceable used parts. Regardless, our warranty terms apply. All customer examples cited or described in this presentation are presented as illustrations of the manner in which some customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics will vary depending on individual customer configurations and conditions. This publication was produced in the United States. IBM may not offer the products, services or features discussed in this document in other countries, and the information may be subject to change without notice. Consult your local IBM business contact for information on the product or services available in your area. All statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only. Information about non-ibm products is obtained from the manufacturers of those products or their published announcements. IBM has not tested those products and cannot confirm the performance, compatibility, or any other claims related to non-ibm products. Questions on the capabilities of non-ibm products should be addressed to the suppliers of those products. Prices subject to change without notice. Contact your IBM representative or Business Partner for the most current pricing in your geography. 22

Disclaimer The information contained in this document has not been submitted to any formal IBM test and is distributed on an "AS IS" basis without any warranty either express or implied. The use of this information or the implementation of any of these techniques is a customer responsibility and depends on the customer's ability to evaluate and integrate them into the operational environment. While each item may have been reviewed by IBM for accuracy in a specific situation, there is no guarantee that the same or similar results will be obtained elsewhere. Customers attempting to adapt these techniques to their own environments do so at their own risk. In this document, any references made to an IBM licensed program are not intended to state or imply that only IBM's licensed program may be used; any functionally equivalent program may be used instead. Any performance data contained in this document was determined in a controlled environment and, therefore, the results which may be obtained in other operating environments may vary significantly. Users of this document should verify the applicable data for their specific environments. It is possible that this material may contain reference to, or information about, IBM products (machines and programs), programming, or services that are not announced in your country. Such references or information must not be construed to mean that IBM intends to announce such IBM products, programming or services in your country. 3

Agenda About SSL for zvm Configuring Your SSL Server Gathering SSL Status Certificate Management The How-To Section References 4

About SSL for zvm What it is, what it does, where it s going 5

About SSL for zvm SSL was developed by Netscape to provide secure communications Connection is trusted Certificates authenticate identity Connection is private Cryptographic parameters established during handshake Connection is reliable Message digest is sent with message Standardized by RFC 2246 (Transport Layer Security - TLS) 6

About SSL for zvm Supported Features Support for SSL 3.0, TLS 1.0 Provides security functions for any server SSL for zvm TCP/IP clients Client authentication Certificate database management 7

About SSL for zvm What s Not Supported Some forms of hardware encryption CPACF yes Crypto cards not used IPv6 Support 8

New for zvm 6.1.0. SSL Server operating in a CMS environment No need for Linux distributions GSKKYMAN for standardized certificate management Certificate database maintained in a BFS New cipher suites for stronger encryption Removal of FIPS 140-2 Support Support provided in zvm 5.4 by PTFs for APARs PK65850, PK73085, PK75268, VM64540, VM64519, and VM64570. 9

Configuring Your SSL Server For specific steps for server configuration, see: zvm TCPIP Planning and Customization, Chapter 22 zvm TCPIP LDAP Administration Guide, Chapter 15 10

Configuring Your SSL Server 1. Configure PROFILE TCPIP XAUTOLOG statement SSLSERVERID userid TIMEOUT seconds *No need for Admin Port 9999 in zvm 5.4 11

Configuring Your SSL Server 2. Configure DTCPARMS new tags :Admin_ID_List. indicates which privileged users may use SSLADMIN for administrative commands :Timezone. :Mount. the location of the certificate database in your BFS environment Default is /etc/gskadm/ 3. Set up Certificate Database more on this to follow 4. Start the SSL Server with the VMSSL command In DTCPARMS or on the command line 12

Configuring Your SSL Server 13

Configuring Your SSL Server High Medium Low None 3DES_168_SHA RC4_128_SHA RC2_40_MD5 NULL DH_DSS_3DES RC4_128_MD5 RC4_40_MD5 NULL_SHA DH_RSA_3DES RSA_AES_128 DES_56_SHA NULL_MD5 DHE_DSS_3DES DH_DSS_AES_128 DH_DSS_DES DHE_RSA_3DES DH_RSA_AES_128 DH_RSA_DES RSA_AES_256 DHE_DSS_AES_128 DHE_DSS_DES DH_DSS_AES_256 DHE_RSA_AES_128 DHE_RSA_DES DH_RSA_AES_256 DHE_DSS_AES_256 DHE_RSA_AES_256 Note 1: Cipher suites can be exempted from processing based on either cipher name or by cipher strength, per below but not both. Note 2: Exempting by strength automatically exempts a lower strength! 14

Configuring Your SSL Server Note: Three connections should appear at SSLSERV start-up, to indicate communication with the TCPIP stack. 15

Gathering SSL Status It s up and running; now what? 16

Gathering SSL Status SSLADMIN command Privileged command ( :Admin_ID_list. ) Reports information on SSL server status and connections Used to enable tracing and retrieve log files 17

Gathering SSL Status SSLADMIN QUERY STATUS 18

Gathering SSL Status SSLADMIN command CLOSECON / LOG retrieves console log HELP displays help information QUERY Status returns general server data QUERY Cache returns cache data QUERY Sessions returns data on active secure sessions RESTART quiesces and re-ipl s SSL server REFRESH reaccess certificate database STOP stops the SSL server SYSTEM used to issue CP or CMS command TRACE / NOTRACE enables / disables tracing 19

Gathering SSL Status Tracing Configured at start-up through DTCPARMS or VMSSL Can be turned on/off with SSLADMIN: 20

Gathering SSL Status Tracing SSLADMIN options Normal: records successful connections All: indicates tracing for all incoming connections This can be delinated by an ip address, port number or connection number Connections: records state changes and handshake results. Data: displays the first 20 bytes of send/receive entries NoData 21

Gathering SSL Status Tracing SSLADMIN options Flow: traces the flow of control and system activity Debug: extensive tracing for all control and system activities as well as data on ALL connections Usage note: both Trace Flow and Trace Debug generate a lot of data; this not only causes major performance impact but will fill up spool space more quickly. NoTrace: turns off all tracing. 22

Gathering SSL Status Example: TRACE FLOW ALL 23

Certificate Management 24

Certificate Management About gskkyman First available in zvm 5.3.0. LDAP server Came to zvm by way of zos Manages databases stored in a Byte-File System SSL Servers and LDAP Servers can share databases and certificates GSKADMIN userid created to manage gskkyman 25

Certificate Management Accessing gskkyman 1. Log onto GSKADMIN (or other configured id) 2. >> gskkyman 26

Certificate Management Creating a new certificate database From starting menu, select option 1: 27

Certificate Management Creating a new certificate database 28

Certificate Management 29

Certificate Management Opening a Certificate Database 2. Open Database GSKADMIN automatically mounts and accesses the database s directory Default database location: /etc/gskadm Database should be located at mount point May require manual configuration if not using the defaults 30

Certificate Management 31

Certificate Management Database permissions 32

Certificate Management Database permissions Changes made with BFS commands (openvm) openvm permit Database.kdb rw- r-- --- (replace Executes against specified file Grants read, write and/or execute authority Upon creating a new database, permissions should be adjusted for <name>.kdb, <name>.rdb and <name>.sth 33

Certificate Management Importing certificates Certificates can be imported into the certificate database through gskkyman. First, place certificate file in appropriate BFS directory Without key: tlslabel.arm With key: tlslabel.p12 (PKCS #12 format) Command: openvm putbfs TESTCERT P12 A /etc/gskadm/testcert.p12 (bfsline none Then, access gskkyman: 1. Manage keys and certificates 7. Import a certificate; or 8. Import a certificate and a private key 34

Certificate Management Importing certificates 35

Certificate Management Importing certificates with private keys 36

Certificate Management 37

The How To Section Wherein we answer all those other questions! 38

How to Designate a Secure Port Explicit ( static ) SSL Establish a permanently secure port for secure connectivity Standardized in RFC 2228 PROFILE TCPIP: PORT statement PORT 21 TCP FTPSERV SECURE tlslabel Tlslabel name of certificate in database (max. of eight characters) Can use port ranges instead of a single port 39

How To Configure zvm applications for SSL Configuration File Updates TN3270: INTERNALCLIENTPARMS (in PROFILE TCPIP) SECURECONNECTION TLSLABEL FTP: SRVRFTP CONFIG (server); FTP DATA (client) PASSIVEPORTRANGE SECURECONTROL, SECUREDATA TLSLABEL SMTP: SMTP CONFIG TLS Statement TLSLABEL 40

and how to reconfigure them dynamically zvm Applications support SMSG SMSG FTPSERV QUERY SECURE SMSG FTPSERV SECURE CONTROL REQUIRED SMSG SMTP TLS NEVER zvm Telnet NETSTAT OBEY / OBEYFILE Adjust INTERNALCLIENTPARMS SSL Server Operating parameters (DTCPARMS) cannot be dynamically changed Certificate database changes can be seen by issuing SSLADMIN REFRESH from GSKADMIN (or another authorized userid). 41

How To Configure non-vm Clients for SSL A bit about non-vm clients Clients have varying options and capabilities Most will refer to explicit SSL as SSL and implicit as TLS All require a certificate from the database stored locally Example clients Telnet: PComm 5.9 supports both explicit and implicit SSL FTP: CoreFTP, Filezilla, Attachmate, Bluezone SMTP: Eudora v7.0.1.0 for TLS 42

How To Configure non-vm Clients for SSL PComm 5.9 Explicit SSL 43

How To Configure non-vm Clients for SSL PComm 5.9 Implicit SSL 44

How To Export.P12 Files from zvm 5.3 Problem: zvm 5.3 s SSLADMIN EXPORT did not allow for exporting certificates with associated keys Solution: APAR PK75661 New.RPM files for both SSLSERV and GSKit Adds new SSLADMIN EXPORT... WITHKEY option Fixes TLS Renegotiation flaw Helpful links: http://www.vm.ibm.com/related/tcpip/pk75661.html http://www.vm.ibm.com/related/tcpip/tc53crmg.html 45

How To Export.P12 Files from zvm 5.3 1. Install new.rpm files Reconfigure Linux guest for connectivity (modsymlinks) Backup existing certificate database files FTP.RPM files onto Linux guest Uninstall old.rpm files (first SSL, then GSKit) Install new.rpm files (first GSKit, then SSL) Restore certificate database files Reconfigure Linux guest for SSLSERV mode (modsymlinks) Restart SSL server 2. Logon TCPMAINT 3. Disable SSL server tracing: ssladmin notrace 46

How To Export.P12 Files from zvm 5.3 4. Disable console spooling for this userid 5. Export certificate with associated key: SSLADMIN EXPORT <filename> <filemode> CERTWKEY <tlslabel> <password> Notes: <filename> and <filemode> represent the target CMS file to be created. The new file will be of filetype P12 <tlslabel> represents the certificate label specified in your certificate database. The <password> will be associated with your new file. <password> is case-sensitive, and can be comprised of multiple tokens; leading and trailing blanks are removed. 6. Send your new file to your 5.4 or 6.1 system 47

How To Export.P12 Files from zvm 5.3 7. Store the P12 file in an appropriate BFS directory, e.g. openvm putbfs CERTWKEY P12 A /etc/gskadm/certwkey.p12 (bfsline none 8. Using gskkyman (as shown on previous slides), import the.p12 file into the certificate database 9. Update appropriate config files to use the new certificate label (e.g., PROFILE TCPIP, SRVRFTP CONFIG); or update servers dynamically / use SSLADMIN REFRESH 48

How To Export.P12 Files from zvm 5.3 Cleanup Notes: <password> should no longer be required. If <password> is maintained, though, use appropriate measures to ensure it is adequately protected Be certain that any console or other files that contain your certificatewith-key password(s) are properly discarded or erased 49

How To Be Your Own Certificate Authority Certificate Authorities traditionally, third-parties who provided assurance that your certificates and keys are secure. With zvm 5.4 and the use of gskkyman, you can be your own Certificate Authority Allows a sysadmin to bypass going to places like Thawte or Verisign to answer certificate requests and having to pay money for the privilege. Process involves several steps TCPIP LDAP Administrator s Guide, Chapter 15 50

How To Be Your Own Certificate Authority 51

How To Be Your Own Certificate Authority 52

How To Be Your Own Certificate Authority 53

Questions? (references on next slide) 54

References Speaker: Brian Hugenbruch E-mail: bwhugen at us.ibm.com http://www.vm.ibm.com/devpages/hugenbru Phone: USA 607.429.3660 zvm SSL web pages: http://www.vm.ibm.com/related/tcpip/vmsslinf.html -- SSL Information http://www.vm.ibm.com/related/tcpip/tcsl540.html -- 540 Config and Install http://www.vm.ibm.com/related/tcpip/tcsslsvc.html -- SSL Service Notes http://www.vm.ibm.com/related/tcpip/ -- zvm TCPIP Special Thanks to: Alan Altmark, Mark Cibula, Will Roden Jr (retired) 55

Backup Slides (because not everything fits inside the main presentation.) 56

Notable Service zvm 5.4.0 PK65850/PK73085 (UK40952) PK75268 (UK41626) VM64540 (UM32541) VM64569 (UM32592) VM64570 (UM32594) zvm 5.3.0 PK75661 SSLADMIN EXPORT WITHKEY PK52298 connection constraint relief for SSLSERV SLES 9 SP3 and RHEL4 64-bit only PK53928 related SSLADMIN changes PK53932 related TCPIP changes 57

Linux Support in zvm 5.2 and 5.3 SuSE SLES 8 31 bit - 5.2.0. only SLES 9 31 bit SLES 9 64 bit Red Hat Enterprise AS3 31 bit - 5.2.0. only AS3 64 bit - 5.2.0. only AS4 31 bit AS4 64 bit 58

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback